Friday, May 27, 2016

As is to be expected, most corners of the press are coming down hard on Hillary Clinton after the release of the State Department's OIG (Office of the Inspector General) report. If you read the report itself, however, you will see that the case against Hillary has been exaggerated. This is not to say that she didn't make any mistakes, but only that their extent and seriousness are not entirely clear. This is not because the OIG failed to do its job, but because the goal of the report was to identify weaknesses in the State Department's email records management and cybersecurity systems, and not to indict Hillary Clinton.

The report focuses on two main areas of criticism which apply to Secretary Clinton. The first is that she did not strictly follow formal procedures for storing copies of her emails. The second is that she used a private email server without going through the proper channels for clearance.

What the report shows is that the agencies responsible for ensuring the integrity of governmental systems have not been doing their job.

Let's start with the criticism that she did not strictly adhere to formal procedures for preserving records of her emails. The OIG finds that the agency responsible for overseeing such practices--the National Archives and Records Administration (NARA)--was not doing its job: "Although NARA is responsible for conducting inspections or surveys of agencies’ records and records management programs and practices, it last reviewed the Office of the Secretary’s records retention practices in 1991–a quarter century ago." Furthermore, in 2015 (two years after Clinton left the State Department), "NARA reported that 80 percent of agencies had an elevated risk for the improper management of electronic records, reflecting serious challenges handling vast amounts of email, integrating records management functionality into electronic systems, and adapting to the changing technological and regulatory environments." This is about all government agencies, not just the State Department. The OIG is clear: "NARA identified similar weaknesses across the Federal Government with regard to electronic records in particular." The question must be asked: Why was it that almost every governmental agency was failing to follow the formal guidelines for records management, and why wasn't NARA bothering to check to see what was going on?

The answer, as the OIG report makes clear, is that the United States government did not have an appropriate system in place for the proper storage of email records, and NARA did not impose any penalties for failure to comply with their guidelines.

Clinton had a choice: One option was to use the SMART system, which was believed to have technical problems, to be difficult to use, and to "allow overly broad access to sensitive materials." The other option was to print and file all of her emails. She chose to print and file, but--as with almost every other governmental agency--only did so "sporadically":

employees in the Office of the Secretary have printed and filed such emails only sporadically. In its discussions with OIG, NARA stated that this lack of compliance exists across the government. Although the Department is aware of the failure to print and file, the FAM [Foreign Affairs Manual] contains no explicit penalties for lack of compliance, and the Department has never proposed discipline against an employee for failure to comply.

The OIG criticizes Clinton for failing to turn over records of all of her work-related email prior to leaving the office--a failing which can presumably be explained by the fact that her office had only "sporadically" printed and filed its emails. While there is clear evidence that Clinton fell short of policy requirements, the OIG acknowledges that this is "mitigated" by the fact that Clinton was able to produce 55,000 pages of work-reated emails upon request.

Yet, the OIG was "unable to systematically assess the extent to which Secretaries Albright, Powell, Rice, Clinton, and Kerry and their immediate staff managed and preserved email records." The report continues:

In particular, OIG could not readily retrieve and analyze email records, in part because of the previously discussed weaknesses in the Department’s records management processes. Although hard-copy and electronic email records dating back to Secretary Albright’s tenure exist, these records have never been organized or indexed.

I would think that no amount of organizing and indexing printed files could guarantee a flawless accounting of any email storage and retrieval system. Unless you have direct access to the emails themselves, then you will never know if any emails were overlooked. Organizing and indexing make it easier to detect whether or not somebody has tampered with the records, but they don't make it easier to detect whether any emails were left out of the record-keeping process altogether. Nevertheless, the OIG has deduced that some emails were left out because they did not receive printed records of emails from the first few months of Clinton's tenure as Secretary of State. This is presumably because Clinton was transitioning into the office and had not established a proper system yet.

In sum, yes, we can criticize Clinton for not strictly following NARA's record-keeping guidelines, but there is virtually no bite to that attack.

The more serious concern, as we have all known for some time, has to do with her use of a private email server. However, on this front, the OIG report offers nothing new of substance. It does not conclude that her email server was unacceptable or that it did not comply with security guidelines. All it says is that Clinton did not go through proper channels to approve the system.

And let's be clear about one thing: This is not about using a private email account. It's about using a private email server. If the OIG report makes anything clear, it is that Clinton was allowed to use private email to conduct official business. The OIG report repeats this, just so we don't misunderstand: " laws and regulations did not prohibit employees from using their personal email accounts for the conduct of official Department business." It is currently advised that "personal accounts should only be used in exceptional circumstances," but this guideline was put in place in 2015, well after Clinton's tenure. So, when Clinton says she was allowed to use a private email account, she is not lying.

The question is, was she allowed to use a private email server?

The OIG report does not give a clear answer to that question. What is clear is that any such system would have had to have been approved, and the OIG couldn't find any evidence that Clinton sought approval through the proper channels:

Throughout Secretary Clinton's tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS [Automated Information System], yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. . . .

During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU [sensitive but unclassified] information outside the Department’s OpenNet network on a regular basis to non-Departmental addresses, they should request a solution from IRM [the Bureau of Information Resource Management]. However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU.

Though Clinton appears to have made a mistake here, it does not seem to be a punishable offense. This can be deduced from the fact that the OIG ends the report by recommending the following:

The Director General of the Foreign Service and Director of Human Resources should amend the Foreign Affairs Manual to provide for administrative penalties for Department employees who (1) fail to comply with recordkeeping laws and regulations or (2) fail to comply with Department policy that only authorized information systems are to be used to conduct day-to-day operations.

In other words, even though Clinton fell short of formal guidelines (both for record-keeping and for using an unauthorized server), there were no penalties in place for these infractions. The conclusion, therefore, is that Clinton has not been found guilty of a punishable wrong.

The bottom line is, the OIG report does not tell us whether or not Clinton took acceptable precautions to protect the security of her email. It does not tell us whether or not her email system was secure. The OIG report does not give us any new, decisive information about those concerns. All it does is flesh out some of the details in a way which, hopefully, will help the State Department (and other governmental agencies) get their act together.

It's also worth noting that one of the OIG's recommendations is to "evaluate the cost and feasibility of conducting regular audits of computer system usage to ascertain the degree to which Department employees are following the laws and policies concerning the use of personal email accounts." The management rejected the recommendation, saying such audits would "not be beneficial or feasible, especially because the Department already conducts continuous monitoring to ensure the integrity of the Department's networks and systems." Does that mean that there was an appropriate oversight mechanism in place during Clinton's tenure? If so, why didn't they respond to Clinton's use of a private server?

As is to be expected, most corners of the press are coming down hard on Hillary Clinton after the release of the State Department's OIG (Office of the Inspector General) report. If you read the report itself, however, you will see that the case against Hillary has been exaggerated. This is not to say that she didn't make any mistakes, but only that their extent and seriousness are not entirely clear. This is not because the OIG failed to do its job, but because the goal of the report was to identify weaknesses in the State Department's email records management and cybersecurity systems, and not to indict Hillary Clinton.

The report focuses on two main areas of criticism which apply to Secretary Clinton. The first is that she did not strictly follow formal procedures for storing copies of her emails. The second is that she used a private email server without going through the proper channels for clearance.

What the report shows is that the agencies responsible for ensuring the integrity of governmental systems have not been doing their job.

Let's start with the criticism that she did not strictly adhere to formal procedures for preserving records of her emails. The OIG finds that the agency responsible for overseeing such practices--the National Archives and Records Administration (NARA)--was not doing its job: "Although NARA is responsible for conducting inspections or surveys of agencies’ records and records management programs and practices, it last reviewed the Office of the Secretary’s records retention practices in 1991–a quarter century ago." Furthermore, in 2015 (two years after Clinton left the State Department), "NARA reported that 80 percent of agencies had an elevated risk for the improper management of electronic records, reflecting serious challenges handling vast amounts of email, integrating records management functionality into electronic systems, and adapting to the changing technological and regulatory environments." This is about all government agencies, not just the State Department. The OIG is clear: "NARA identified similar weaknesses across the Federal Government with regard to electronic records in particular." The question must be asked: Why was it that almost every governmental agency was failing to follow the formal guidelines for records management, and why wasn't NARA bothering to check to see what was going on?

The answer, as the OIG report makes clear, is that the United States government did not have an appropriate system in place for the proper storage of email records, and NARA did not impose any penalties for failure to comply with their guidelines.

Clinton had a choice: One option was to use the SMART system, which was believed to have technical problems, to be difficult to use, and to "allow overly broad access to sensitive materials." The other option was to print and file all of her emails. She chose to print and file, but--as with almost every other governmental agency--only did so "sporadically":

employees in the Office of the Secretary have printed and filed such emails only sporadically. In its discussions with OIG, NARA stated that this lack of compliance exists across the government. Although the Department is aware of the failure to print and file, the FAM [Foreign Affairs Manual] contains no explicit penalties for lack of compliance, and the Department has never proposed discipline against an employee for failure to comply.

The OIG criticizes Clinton for failing to turn over records of all of her work-related email prior to leaving the office--a failing which can presumably be explained by the fact that her office had only "sporadically" printed and filed its emails. While there is clear evidence that Clinton fell short of policy requirements, the OIG acknowledges that this is "mitigated" by the fact that Clinton was able to produce 55,000 pages of work-reated emails upon request.

Yet, the OIG was "unable to systematically assess the extent to which Secretaries Albright, Powell, Rice, Clinton, and Kerry and their immediate staff managed and preserved email records." The report continues:

In particular, OIG could not readily retrieve and analyze email records, in part because of the previously discussed weaknesses in the Department’s records management processes. Although hard-copy and electronic email records dating back to Secretary Albright’s tenure exist, these records have never been organized or indexed.

I would think that no amount of organizing and indexing printed files could guarantee a flawless accounting of any email storage and retrieval system. Unless you have direct access to the emails themselves, then you will never know if any emails were overlooked. Organizing and indexing make it easier to detect whether or not somebody has tampered with the records, but they don't make it easier to detect whether any emails were left out of the record-keeping process altogether. Nevertheless, the OIG has deduced that some emails were left out because they did not receive printed records of emails from the first few months of Clinton's tenure as Secretary of State. This is presumably because Clinton was transitioning into the office and had not established a proper system yet.

In sum, yes, we can criticize Clinton for not strictly following NARA's record-keeping guidelines, but there is virtually no bite to that attack.

The more serious concern, as we have all known for some time, has to do with her use of a private email server. However, on this front, the OIG report offers nothing new of substance. It does not conclude that her email server was unacceptable or that it did not comply with security guidelines. All it says is that Clinton did not go through proper channels to approve the system.

And let's be clear about one thing: This is not about using a private email account. It's about using a private email server. If the OIG report makes anything clear, it is that Clinton was allowed to use private email to conduct official business. The OIG report repeats this, just so we don't misunderstand: " laws and regulations did not prohibit employees from using their personal email accounts for the conduct of official Department business." It is currently advised that "personal accounts should only be used in exceptional circumstances," but this guideline was put in place in 2015, well after Clinton's tenure. So, when Clinton says she was allowed to use a private email account, she is not lying.

The question is, was she allowed to use a private email server?

The OIG report does not give a clear answer to that question. What is clear is that any such system would have had to have been approved, and the OIG couldn't find any evidence that Clinton sought approval through the proper channels:

Throughout Secretary Clinton's tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS [Automated Information System], yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. . . .

During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU [sensitive but unclassified] information outside the Department’s OpenNet network on a regular basis to non-Departmental addresses, they should request a solution from IRM [the Bureau of Information Resource Management]. However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU.

Though Clinton appears to have made a mistake here, it does not seem to be a punishable offense. This can be deduced from the fact that the OIG ends the report by recommending the following:

The Director General of the Foreign Service and Director of Human Resources should amend the Foreign Affairs Manual to provide for administrative penalties for Department employees who (1) fail to comply with recordkeeping laws and regulations or (2) fail to comply with Department policy that only authorized information systems are to be used to conduct day-to-day operations.

In other words, even though Clinton fell short of formal guidelines (both for record-keeping and for using an unauthorized server), there were no penalties in place for these infractions. The conclusion, therefore, is that Clinton has not been found guilty of a punishable wrong.

The bottom line is, the OIG report does not tell us whether or not Clinton took acceptable precautions to protect the security of her email. It does not tell us whether or not her email system was secure. The OIG report does not give us any new, decisive information about those concerns. All it does is flesh out some of the details in a way which, hopefully, will help the State Department (and other governmental agencies) get their act together.

It's also worth noting that one of the OIG's recommendations is to "evaluate the cost and feasibility of conducting regular audits of computer system usage to ascertain the degree to which Department employees are following the laws and policies concerning the use of personal email accounts." The management rejected the recommendation, saying such audits would "not be beneficial or feasible, especially because the Department already conducts continuous monitoring to ensure the integrity of the Department's networks and systems." Does that mean that there was an appropriate oversight mechanism in place during Clinton's tenure? If so, why didn't they respond to Clinton's use of a private server?